Cyber Posture

CVE-2020-36910

HighPublic PoC

Published: 06 January 2026

Published
06 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0053 67.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Cayin Signage Media Player 3.0 contains an authenticated remote command injection vulnerability in system.cgi and wizard_system.cgi pages. Attackers can exploit the 'NTP_Server_IP' parameter with default credentials to execute arbitrary shell commands as root.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates CVE-2020-36910 by identifying, patching, or updating the vulnerable CGI scripts to eliminate the command injection flaw.

SI-10 Information Input Validation good match
prevent

Prevents exploitation of the NTP_Server_IP parameter by validating inputs to reject command injection payloads containing shell metacharacters.

AC-2 Account Management partial match
prevent

Reduces attack surface by disabling default credentials or enforcing strong account management, hindering authenticated access needed to exploit the vulnerability.

Security SummaryAI

CVE-2020-36910 is an authenticated remote command injection vulnerability (CWE-78) affecting Cayin Signage Media Player 3.0, specifically in the system.cgi and wizard_system.cgi pages. The flaw resides in the 'NTP_Server_IP' parameter, which attackers can exploit using default credentials to execute arbitrary shell commands as root. Published on 2026-01-06, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and potential for complete system compromise.

An attacker requires network access to the affected device and valid low-privilege credentials, such as the defaults provided by the software. Once authenticated, they can submit a malicious payload via the vulnerable 'NTP_Server_IP' parameter in the specified CGI pages, leading to remote code execution with root privileges. This grants high-impact control over confidentiality, integrity, and availability, allowing arbitrary command execution on the target system.

Advisories and additional details, including potential exploits, are documented in references such as https://cxsecurity.com/issue/WLB-2020060049, https://exchange.xforce.ibmcloud.com/vulnerabilities/182924, https://packetstorm.news/files/id/157942, https://www.cayintech.com, and https://www.exploit-db.com/exploits/48557. Security practitioners should consult these sources and the vendor for patch availability or mitigation guidance.

Details

CWE(s)
CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Authenticated remote command injection in web CGI endpoints enables exploitation of public-facing application (T1190), arbitrary Unix shell execution (T1059.004), and privilege escalation from low-priv to root (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References